Sold by: Fortinet Inc.
Deployed on AWS
AWS Free Tier
FortiWeb web application firewall defends your web applications and APIs, leveraging AI-based machine learning that models your applications and APIs to block malicious anomalies, control bot traffic, and identify the most important threats.
4.4
Overview
FortiWeb WAF defends your web applications and APIs using a multi-layered approach that intelligently and accurately protects your web applications from the OWASP Top 10 threats and more, without creating excess administrative overhead that can slow down deployment of your most critical line-of-business applications. Using AI-based machine learning, FortiWeb continuously and automatically models your application's behavior to:
- Identify and block malicious behavior
- Discover and protect exposed web APIs
- Identify and control bot traffic
- NEW identify attack patterns across your entire web application attack surface and aggregate them into security incidents across all FortiWeb and FortiWeb Cloud protected applications in a single Threat Analytics Dashboard (when you purchase the Advanced Bundle*) so that SOC analysts can focus on the threats that matter most. Combined with Fortinet Web Application Security Service from FortiGuard Labs, FortiWeb keeps your applications safe from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks.
Highlights
- EFFECTIVE and ACCURATE protection that leverages machine learning to identify and block malicious behavior, discover and protect exposed web APIs, and identify and control bot traffic while minimizing the false positives that drive administrative overhead
- INTEGRATED with FortiGate, FortiSandbox, and leading third-party vulnerability scanners for enhanced zero-day threat protection and virtual application patching
- *NEW* ADVANCED THREAT ANALYTICS that help your SOC analysts focus on the threats that matter most by using the Threat Analytics Dashboard to identify attack patterns across all your cloud and on-prem deployments
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
OtherLinux 8.0.4
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing and entitlements for this product are managed through an external billing relationship between you and the vendor. You activate the product by supplying a license purchased outside of AWS Marketplace, while AWS provides the infrastructure required to launch the product. AWS Subscriptions have no end date and may be canceled any time. However, the cancellation won't affect the status of the external license.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Vendor refund policy
BYOL, work directly with your Fortinet or Fortinet authorized channel account team.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
After deploying the instance, click on 'Manage in AWS Console' to see the running instance and public DNS address to continue the configuration of the FortiWeb-VM. Connect to the secured Web UI via the public DNS address: https://Public DNS:8443. For any CLI configuration/settings, SSH is required to log into the CLI. Default login credentials are with a username of "admin" and the AWS Instance ID value as the password. The FortiWeb-VM Install and Configure guides are at https://docs.fortinet.com/document/fortiweb-public-cloud/latest/deploying-fortiweb-vm-on-aws-ec2/872945/creating-virtual-private-cloud-vpc . For the full FortiWeb Administrator Guide, please refer to Fortinet documentation: https://docs.fortinet.com/product/fortiweb
Resources
Support
Vendor support
ortinet FortiCare Support Services give you global support on a per-product basis. By subscribing to these services, you'll receive a timely response to any technical issue as well as complete visibility on ticket resolution progress. All FortiCare Support Services include firmware upgrades, access to the support portal and associated technical resources. FortiGuard Security Services include up-to-the minute threat intelligence delivered in real time to stop the latest threats.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Fortinet FortiGate allows mitigation of blind spots to improve policy compliance by implementing critical security controls within your AWS environment. FortiGate includes all of the security and networking services common to FortiGate physical appliances.
FortiAuthenticator is a centralized user Identity Management solution to transparently identify network users and enforce identity-driven access policy in a Fortinet fabric. It supports FortiToken Two-factor authentication, Certificate and Wireless Guest management and Single Sign On capability.
The Fortinet FortiManager provides easy centralized configuration, policy-based provisioning, update management and end-to-end network monitoring for your Fortinet installed environment.
Fortinet professional design and implementation services for network, application, and cloud-native (CNAPP) security for AWS, hybrid, and multi-cloud environments.
The FortiWeb web application firewall (WAF) defends web-based applications from known and zero-day threats. Its AI-based machine learning identifies threats with virtually no false positive detections.
Customer reviews
Prasanth K.
Easy-to-Implement AppSec with Strong Signature Detection, Bot Protection, and Cloud Integration
Reviewed on Feb 21, 2026
Review provided by G2
What do you like best about the product?
While we use it as an mirror alternate to AWS WAF for our China accounts, It brings in lot of value ad interms of very less manual effort and almost covers all of our security aspects for both our internal and external apps.
Its Signature based detection and Advanced Bot protection defn needs a praise.
Synthetic Testing, Fabric Connector options really put forti's Appsec in driver position.
Its very easy implementation, to use and configuration and integration with cloud (AWS & Azure market place pfferings) comes in handy.
Its Signature based detection and Advanced Bot protection defn needs a praise.
Synthetic Testing, Fabric Connector options really put forti's Appsec in driver position.
Its very easy implementation, to use and configuration and integration with cloud (AWS & Azure market place pfferings) comes in handy.
What do you dislike about the product?
Just like any other software, its initial setup initial setup can be a head-scratching because the platform offers an overwhelming number of useful but complex options.
Reporting is some what limited which we got to knwo during our training and it pretty much remained the same today.
Reporting is some what limited which we got to knwo during our training and it pretty much remained the same today.
What problems is the product solving and how is that benefiting you?
Since AWS WAF is not allowed in China mainland, we use Forti products to cover our applications in place of this. Due to its general availability in AWS/Azure market place, we sort of setteled on this and it continue to impress us securing our products from almost all attacks.
Because of its powerful and multi option features, it covers all ur firewall needs not just for our application but DNS, ELB's nd other API security needs as part of our hybrid security strategy
Because of its powerful and multi option features, it covers all ur firewall needs not just for our application but DNS, ELB's nd other API security needs as part of our hybrid security strategy
Piotr M.
Streamlines Web Security but Needs UI Enhancements
Reviewed on Feb 18, 2026
Review provided by G2
What do you like best about the product?
I really like the ease of deployment and the AI-powered automation in FortiAppSec Cloud, which make protecting and accelerating web apps and APIs much more manageable. The initial setup was very straightforward and I appreciate the unified management and reduced complexity it offers.
What do you dislike about the product?
I find the custom rule tuning tricky at first and the UI/UX lacks intuitiveness. It could use better incident timelines and risk scoring for an overall polish. There's also occasional performance dip or latency under high traffic or complex rules.
What problems is the product solving and how is that benefiting you?
I use FortiAppSec Cloud to protect web apps and APIs, handling issues like false positives, evolving threats, and security challenges.
Alexandru R.
Secure, User-Friendly with Great Support, Minor Lag Issues
Reviewed on Feb 16, 2026
Review provided by G2
What do you like best about the product?
I really appreciate the ease of access with FortiAppSec Cloud, along with its reliable customer support which is very beneficial for me. The dashboard is also great because it allows us to monitor all activities conveniently. I found the initial setup process to be very easy, and we got everything set up in under one hour.
What do you dislike about the product?
There's some lag in the platform when we reach a large number of endpoints.
What problems is the product solving and how is that benefiting you?
FortiAppSec Cloud helps us deliver secure endpoints in the cloud to customers, with ease of access and reliable customer support.
Mansi S.
Robust Protection with Room for UI Improvement
Reviewed on Feb 13, 2026
Review provided by G2
What do you like best about the product?
I like the FortiAppSec Cloud's clean dashboard, which lets me quickly understand what’s happening without digging through endless logs. I also appreciate that I can log in and immediately see what types of attacks are being blocked, where traffic is coming from, and whether there are any unusual spikes. It's our security shield in front of our applications.
What do you dislike about the product?
The UI is clean overall, but sometimes when you're trying to troubleshoot something specific, you have to click around more than you'd like. A more straightforward log search or clearer explanations inside the dashboard would help. The UI is not customizable as well. I would love to see that option.
What problems is the product solving and how is that benefiting you?
I use FortiAppSec Cloud as a security shield for our web apps and APIs, providing deep visibility into traffic, reducing bot activity, preventing web attacks, and simplifying security reporting.
Shiv A.
Strong Security but Initial Setup Woes
Reviewed on Feb 11, 2026
Review provided by G2
What do you like best about the product?
I think the automatic security and centralized dashboard in FortiAppSec Cloud are pretty good. It's easy to integrate with Fabric, which is helpful, and it's pretty fast and easy to deploy and scale. The automatic security reduces manual rule tuning, and the centralized dashboard improves visibility and response time. The Fabric integration allows automated threat sharing across network and application layers, which improves both security posture and operational efficiency and also improves application latency.
What do you dislike about the product?
The initial configuration and setup for complex rules can be tricky, which is challenging for first-time users. Also, the UI and UX could be improved, particularly with richer incident storytelling like timeline-based views and smarter risk scoring. Sometimes, there's a bit of performance issue during peak traffic, and there's a lack of detailing in incident reports.
What problems is the product solving and how is that benefiting you?
I use FortiAppSec Cloud to reduce bot traffic, prevent API abuse, and protect from DDoS attacks and credential stuffing. It reduces manual rule management, improves visibility, and enhances security posture and operational efficiency.